Introduction
netsniff-ng is a free, performant Linux networking toolkit.
The gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.
The toolkit can be used for network development and analysis, debugging, auditing or network reconnaissance.
Toolkit
* netsniff-ng is a high-performance network analyzer based on packet mmap(2) mechanisms. It can record pcap files to disc, replay them and also do an offline and online analysis.
* trafgen is a high-performance network traffic generator based on packet mmap(2) mechanisms. It has its own flexible, macro-based low-level packet configuration language.
* mausezahn is a performant high-level packet generator that can run on a hardware-software appliance and comes with a Cisco-like CLI. It can craft nearly every possible or impossible packet.
* bpfc is a Berkeley Packet Filter (BPF) compiler that understands the original BPF language developed by McCanne and Jacobson. It accepts BPF mnemonics and converts them into kernel/netsniff-ng readable BPF opcodes.
* ifpps is a tool which periodically provides top-like networking and system statistics from the Linux kernel. It gathers statistical data directly from procfs files and does not apply any user space traffic monitoring that would falsify statistics on high packet rates. For wireless, data about link connectivity is provided as well.
* flowtop is a top-like connection tracking tool that can run on an end host or router. It is able to present TCP or UDP flows that have been collected by the kernel's netfilter framework. GeoIP and TCP state machine information is displayed.
* curvetun is a lightweight, high-speed ECDH multiuser VPN for Linux. curvetun uses the Linux TUN/TAP interface and supports {IPv4,IPv6} over {IPv4,IPv6} with UDP or TCP as carrier protocols.
* astraceroute is an autonomous system (AS) trace route utility. Unlike traceroute or tcptraceroute, it not only display hops, but also their AS information they belong to as well as GeoIP information and other interesting things.
For more information see the netsniff-ng homepage, README, INSTALL, FAQ, and the Documentation directory
Installation
Tested in default installs of:
Ubuntu Desktop 12.04 i386
Ubuntu Desktop 12.04 x86_64
Ubuntu Server 12.04 i386
Ubuntu Server 12.04 x86_64
sudo apt-get install git build-essential flex bison ccache libnl-3-dev libnl-genl-3-dev libgeoip-dev libnetfilter-conntrack-dev asciidoc libncurses5-dev liburcu-dev libnet1-dev libpcap-dev
Next, install the latest version of libpcap.
git clone https://github.com/mcr/libpcap cd libpcap ./configure make && make install
Compile and install netsniff-ng.
git clone https://github.com/borkmann/netsniff-ng cd netsniff-ng/src make sudo make install
For more options:
make help
You may encounter an error like the following when building curvetun:
./nacl_path.sh: 20: ./nacl_path.sh: source: not found Done! source ~/.bashrc /bin/sh: 1: source: not found make: *** [nacl] Error 127
If that's the case, then source your ~/.bashrc to pick up the two new NACL variables:
source ~/.bashrc
Then build again:
make && sudo make install
Documentation is installed in /usr/share/doc/netsniff-ng.
Sample configurations are installed in /etc/netsniff-ng
Examples
Netsniff-ng
Listen to the first available interface and print a single packet.
netsniff-ng --num 1
Write traffic coming in on eth0 to dump.pcap and don't print any output.
netsniff-ng --in eth0 --out dump.pcap --silent --bind-cpu 0
Netsniff-ng is great for full content packet capture. The following example will write a new pcap to the /mypcaps directory each day.
netsniff-ng --in eth0 --out /mypcaps --interval 24hrs
Drop privileges to uid 1000 and write a new capture file to the current directory after every 10GB of traffic with the naming convention, 10gig.$timestamp.pcap
netsniff-ng --in eth0 --out . --prefix 10gig. --interval 10GiB --user 1000 --group 1000 $ ls 10gig.1349501115.pcap 10gig.1349501161.pcap 10gig.1349501169.pcap
Using mmap(), send quickly, packets from eth0 to eth1.
netsniff-ng --in eth0 --out eth1 --mmap --silent --prio-high
Replay a network trace to an IDS listening on eth0 or attached to a hub.
netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 1
Apply a BPF filter, print matched packets in ASCII, accept jumbo frames, and increase verbosity:
netsniff-ng --in any --filter http.bpf --jumbo-support --ascii -V
Write a low-level BPF filter with bpfc and then pass to netsniff-ng.
$ cat sample_bpf.txt
; tcpdump equivalent
; 'ether src aa:bb:cc:dd:ee:ff'
ld [8] ; load 4 bytes from src MAC
jneq #0xccddeeff,drop ; compare 4 bytes, move to next instruction if equal
ldh [6] ; load 2 bytes from src MAC
jneq #0xaabb,drop ; compare 2 bytes, move to next instruction if equal
ret #1514 ; return 1514 bytes of packet
drop:
ret #0 ; return 0 (no packet)
$ bpfc -Li sample_bpf.txt > ethernet.bpfc
{ 0x20, 0, 0, 0x00000008 },
{ 0x15, 2, 3, 0xccddeeff },
{ 0x28, 0, 0, 0x00000006 },
{ 0x15, 0, 1, 0x0000aabb },
{ 0x6, 0, 0, 0x000005ea },
{ 0x6, 0, 0, 0x00000000 },
$ netsniff-ng --in eth0 --out ethernet.pcap --filter ethernet.bpfcUse tcpdump to dump BPF filter opcodes to file and pass to netsniff-ng.
tcpdump -dd 'ip src 192.168.1.1 and tcp and port (53 or 80 or 443)' > myfilter.bpf netsniff-ng --in eth0 --filter myfilter.bpf --ascii
Tcpdump-style filters can be used as well.
netsniff-ng --in eth0 -f "ip and tcp and port (80 or 443)"
Ifpps
Print system statistics every 1 second (1000ms):
ifpps --dev eth0 --promisc
Write statistics every 5 seconds to a file in CSV format and then print the PPS and drop count fields.
ifpps --dev eth0 --interval 5 --promisc --csv -l > stats.csv
awk '{ print $4,$5 }' stats.csv
Flowtop
Install the updated GeoIP databases and place them where flowtop expects them to be.
apt-get install zlib1g-dev make geoip
By default, flowtop tracks IPv4 & IPv6 flows carrying TCP.
flowtop
Tell flowtop where to find the IPv4 GeoIP databases and watch for UDP traffic
flowtop --ipv4 --city-db4 /usr/share/GeoIP/GeoLiteCity.dat --country-db4 /usr/share/GeoIP/GeoIP.dat --udp
Examine IPv4 traffic carrying ICMP.
flowtop --ipv4 --icmp
